Hacker News new | past | comments | ask | show | jobs | submit login

Bitlocker can be configured (via manage-bde on the cmdline, iirc) to use a passphrase and not use the TPM at all.



Yeah for unlocking it within a host OS as a data disk, not for booting from it... you can set auto unlock at boot or a pin to boot, both of which use the TPM

But try move a bootable bitlocker encrypted disk to new hardware and you’ll have to enter the recovery key

I would really like to be wrong about this since it would make my life much easier, but this understanding is based on experience using multiple work machines with encrypted boot drives every day :(


> Yeah for unlocking it within a host OS as a data disk, not for booting from it...

this is not true. you can configure bitlocker with or without TPMs.

just google it. also the doc for the powershell command talks about it in the establishing a key protector section

https://docs.microsoft.com/en-us/powershell/module/bitlocker...


Ya, I ran for a long time with a passphrase in a system without a TPM. I recently got a TPM for it so I could have it restart without me being present.

I used the `manage-bde` command rather than powershell:

https://docs.microsoft.com/en-us/windows/security/informatio...

The GUI for bitlocker doesn't provide access to all the functionality that manage-bde provides (iirc: if a TPM is present, the passphrase options aren't presented in the GUI. And it used to talk about a "PIN" instead of a passphrase/password, but the "PIN" can (with some gpo tweaking) contain letters/space/punct as well as numbers.


Oh wow, thank you! Should’ve known to head straight to the docs instead of searching phrases online. Now to spend the next day backing everything up and configuring passphrase on boot...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: